diff --git a/Module 3 :-: Network Scanning.md b/Module 3 :-: Network Scanning.md new file mode 100644 index 0000000..f88ea6c --- /dev/null +++ b/Module 3 :-: Network Scanning.md @@ -0,0 +1,105 @@ +## TCP vs UDP + - TCP and UDP (Transmission Control Protocol and User Datagram Protocol) are communications protocol that facilitate the exchange of message (in form of Packets) between computer devices in a network. These protocols decide how packet will reach the destination. 65535 + TCP UDP + - Connection Oriented Protocol - Connection Less protocol + - Provides Error checking - No Error Checking Mechanism + - Guarantees Delivery of Data - No Guarantees of Data Delivery + - Slower and less efficient for fast transmission - Faster Transmission + - All Packets follow the same path - Packets can follow any path to reach destination + - Automimic Retransmission possible - Retransmission is not possible in case of Packets loss +--------------------------------------------------- +## TCP Flags: + - SYN : Sync flag is used to Initiate 3 way handshake between hosts. + - ACK : Acknowledgment flag is used to acknowledge the successful receipt of a packet. + - FIN : The Finished flag means there is no more data from the sender. 1GB --> 50000 --> 1,2,3,4,5,6,.........50000 (FIN) + - URG : The Urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. + - PSH : The Push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them. + - RST : Reset a Connection +--------------------------------------------------- +## TCP 3 Way Handshake: + _____________________________________________ + | Client | Direction | Server | + |:-------------:|:-------------:|:---------:| + | SYN | ----> | | + | | <---- | SYN+ACK | + | ACK | ----> | | + + +## OSI Model + _________________________________________________________________________________________________________ + | Layer || Name || Description || Example protocols | + |:-----:||:------------------:||:----------------------------------------------:||:--------------------:| + | 7 || Application layer || Human Computer Interaction Layer. || HTTP, SNMP | + | 6 || Presentation layer || Ensure Data Usability Format || MIME, ASCII | + | 5 || Session layer || Maintain Con. and control Ports and Session || SOCKS, NetBIOS | + | 4 || Transport layer || Data Transmission by TCP or UDP || TCP, UDP | + | 3 || Network layer || Decide Physical Path for Transmission || IP, ICMP | + | 2 || Data link layer || Read MAC Address from data packet || MAC, ARP | + | 1 || Physical layer || Physical connection || Ethernet, Wi-Fi | + +## TCP/IP Model + __________________________________________________ + | Layer | Name | Example protocols | + |:-----:|:------------------:|:-----------------:| + | 4 | Application layer | HTTP, SNMP | + | 3 | Transport layer | TCP, UDP | + | 2 | Internet layer | IP, ICMP | + | 1 | Link layer | ARP, MAC | +--------------------------------------------------------------------------------------------------------------- +# Practical Part +------------------ +## Main Objectives + k1. Scan live host + k2. Open Ports and Running Services + k3. OS and Architecture info + k4. Security Implemented (Firewall, IDS, IPS) Detection and evasion + +## k1. Live hosts + arp-scan --local + nmap -sn / -sn specify NO-Port Ping Scan + ping + netdiscover -r / +-------------------------------------------------------------------------- +## Nmap Port Scan Status + Open - If No response is received by Nmap, it means Port is Open for connection. + Closed - If response is received by nmap with RST or SYN flag, it means ports are closed. + Filtered - May be some kind of firewall is implemented on client side. + Open/Filtered - Nmap is confused, either port is open or filtered. + Closed/Filtered - Nmap is confused, either port is closed or filtered +-------------------------------------------------------------------------- +## k2. Open Ports and Running Services Scan + Nmap + nmap Simple Port Scan + nmap -v Port Scan with increase verbosity. (-vv is more powerful) + nmap Scan Multiple host in single go + nmap <1.1.1.2-200> Scan IP Range from 2 to 200 + nmap /cidr Scan Entire Subnet + nmap -p 1-65535 -p specify Port Numbers to scan. + nmap -p U:,T: Scan specified TCP and UDP ports. use "" for all. + nmap -sU Scan 1000 Common UDP Ports + nmap -T<0-5> -T specify intensity of scan to time taken by scan. 5 is fastest and 0 is slowest. Default Speed is 3(-T3). + nmap -sT TCP Connect Scan + nmap -iL list.txt Scan ip written in list.txt file (Separate IP by Space, Tab or New Line). --exclude file list.txt (to exclude ip from search) + nmap -A Aggressive Scan (it use -O -sC --traceroute -sV) options + nmap -O -O is used for OS Detection + nmap -sC -sC is used to run Default NSE Scripts --- --script + nmap -sV -sv is used for Service Version Detection + nmap -6 IPv6 Scan + nmap -sS Sync Scan/Ping. Helpful in case where ICMP pings are blocked. + nmap -sA ACK Scan/Ping. Helpful in case where ICMP pings are blocked. Null Scan + nmap --scanflags SYNACKFIN We can set flags using --scanflags option. + nmap -Pn Don't Ping Scan (When Firewall block Ping Packets) + nmap -sR Scan for RPC (Remote Procedure Call) Service + Hping3 + hping3 --icmp --verbose Ping Scan in Verbose + hping3 --scan Scan for Open Ports on IP (--ack, --syn, --fin, --urg) + hping3 --udp --verbose UDP port Scan in Verbose + +-------------------------------------------------------------------------- +## k3. Security Implemented (Firewall, IDS, IPS) Detection and evasion + nmap -f -f will fragment packets in 8-byte packets. Helpful when attempting to evade some older or improperly configured firewall or we can specify packet fragment size using --mtu " option. Size should be multiple of 8 + nmap -D RND: -D Decoy option is used to mask an Nmap scan by using one or more decoys. Decoy is used to hide identity. RND is Number of Decoy Address to be used. We can also specify Addresses by our own. as nmap -D decoy1,decoy2,decoy3,etc + nmap -sX Nmap XMas Scan (if Firewall is enable you get (all thousand ports are closed/filtered), if Firewall is disable you get (Closed). Xmas Scan use PSH+URG+FIN flag or All flag for packets and create abnormal situation for client for which client either respond with RST Flag or some relevant info. +-------------------------------------------------------------------------- +## We can also use Zenmap +--------------------------------------------------------------------------